Comment and Version lines leak information

Anonymous Remailer nobody@mailtraq.net
Mon Aug 6 12:04:02 2001


Frank Tobin writes:

>Anonymous, at 05:18 +0200 on Mon, 6 Aug 2001, wrote:
>> A security program should not, by default, leak information.
>
> You're talking about anonymity, which is different from security.
Nothing was said about anonymity.
> The type of "security" you get from the measures you describe are
> merely obsfucation.
Word games aside, real security people don't go out of their way to leak information.
> Furthermore, when developing a widely-distributed program such as
> GnuPG, and trying to ensure interoperability, it is very useful to
> know what what versions people are using. Just like ssh and Apache,
> there is no attempt to hide what version the software is.
The version and comment strings are unused by the software. Having used gpg and pgp steadily for years, and having provided a lot of free support, I can state with confidence that these strings are of little use because you have to ask "what are you using?" anyway. In the worst case, which I believe scarcely exists, you could turn on the feature, even if it wasn't the default. Further, the only reason you have to start asking about version is because gpg generates unhelpful error messages when it gets a "wrong" algorithm. It should tell you exactly which algorithm it doesn't like and why. I had a bit of a problem with 1.0.4 or so. My correspondent was using a patched version of 1.0.4 which liked Rijndael. My version, an earlier version of 1.0.4, deprecated Rijndael. The warning message I got was completely unhelpful. (It says something like "Deprecated algorithm!" without further detail.) And, the version string was misleading because it was claiming we were running the same version of the software. I had to resort to printfs to figure it out.
> The choice to erase stuff from the comment string is up to the user. But
> the benefits of the default comment, I feel, heavily outweigh any
> negatives.
This belief should be reconsidered. Lest this message appear too negative: gpg is the best OpenPGP compliant implementation and I recommend it frequently. Thanks to everybody who worked on it!